Re: "This is the first really big attack on Macs,"

No, that happened over at Burger Kings twitter feed.

Re: "This is the first really big attack on Macs,"

Mac OS-X, over 1800 vulnerabilities and counting. That's 4 times more than windows XP and almost as bad a Linux dsitribution! And Mac users generally don't have antivirus wrapped round their Swiss Cheese of an OS either....

Re: "This is the first really big attack on Macs,"

Mutter mutter, something about horses, *jazz hands*

Re: "This is the first really big attack on Macs,"

GNU/Linux is developed in the open, so it will look like they have many bugs as one can see them all. Some bug won't even be a GNU or Linux issue, they'll be integration issues for a particular distro. Also, many of these bugs will be duplicates as various distros have a bug reported to them (a new ticket) which then gets filed with upstream (might be a new ticket, might join an existing one). This is before we get into the severity of said bugs. The projects are co-operative units, not closed and secretive monoliths like Apple and MS.

MS is cagey about what bugs they have and their publicly known list is probably a subset of the true picture.

I would have expected Apple to be the same if not even more anti-open, but as you cite no sources I guess we will just have to take what you say with a very large pinch of salt.

As for anti-virus - all PCs should run anti-virus, if only to protect Windows from itself.

Re: "This is the first really big attack on Macs,"

The total of 1800 is only referring to security vulnerabilities - not integration issues or other bugs . Like it or not, Linux distributions tend to have the highest vulnerability totals of any OSs. Even the Linux kernel alone has over 900 known vulnerabilities - about twice the total of the whole of Windows XP!

Re: "This is the first really big attack on Macs,"

I'll type this slowly. Publicly admitted. And I find it funny you ate comparing a dead OS to a living kernel which supports more hardware, more filesystems, more...

Re: "This is the first really big attack on Macs,"

XP is still on extended support - http://windows.microsoft.com/en-US/windows/products/lifecycle

Indeed it would seem to be pretty widely used still - http://en.wikipedia.org/wiki/Usage_share_of_operating_systems

Re: "This is the first really big attack on Macs,"

It dies (or is currently expected to) next year. It's no longer sold. That is so close to "dead" as makes no odds.

Just because idiots still usr IE6 does not make it any less dead either.

Comparing XP (developed in secret and near EOL) to the Linux kernel 3.8 (developed in public and still living) is not comparing like with like.

Re: Life without OS-X

Boy, am I glad I ditched OS-X a few years ago. I haven't missed it either.

Re: Life without Java

Java on the server is fine.

Java on the client would be fine if it wasn't managed by Oracle.

Re: Life without OS-X

Yes, makes me glad i run Windows....

There's a difference between malware or viruses and a very co-ordinated hack attempt.

Yes, the difference is what you call it. Basically you got p0wned...

Re: Where's my popcorn?

Yeah I poke a sharp stick at the fanbois about this on another page, but in general Macs really are more secure than Windows. Which is what makes this such a complete clusterfuck - it was an obvious hole even Windows fanbois saw it coming.

The bigger problem now is, Apple's a big company and it took them too long to find this. Given that the kernel is built on an OSS *nix core, have the hackers also been able to penetrate other *nix distributions/installs which have so far gone undetected? Given that we know neither what changes Apple made to the core nor enough details of the attack for your typical admin to check for the malware on his systems (beyond: are you running Java, which like it or not most business do) it's a bit unsettling. Gut says most of those systems are still secure (greater variety, admins tend to be more security aware, lower desktop distribution), but the brain wants proof and it can't get it.

Re: FaceBook gets hit? F'em.

ISTR that Apple do not let a vanilla Java distribution go straight to Macs. They take the new version, wave a magic cat over it for a few weeks (or whatever it is they do) and then release their approved version, now with more fruit.

I guess someone's spotted that Macs are the target of choice for Java vulns, as they're likely to have their knickers down for rather longer than other platforms, due to this delay while the wizards of Cupertino scry their runes.

Re: Not just Macs is it..

No, if the vulnerability is used to download and run native code - as it looks, the attack was targeted at Macs, not anyone running Java.

@LDS

No, all old java code, possibly new stuff too although hopefully Oracle fixed it. The attack detailed here is specific to the Mac, and the Macs had a particular affinity for it since Apple hadn't updated the code. But the vulnerability itself was in Java. Once you've got the Java exploit worked out, you can engineer other attacks on other systems. Put those attacks at different locations and you get multiple feeders. Then people going 'it's just a Mac attack' or 'it's just a Windows attack' will ignore their own vulnerabilities allowing your malware to spread further. If I were a State sponsor of cyber attacks, it's certainly the route I'd go. Thankfully for the world I'm just a help desk monkey and slightly dyslexic so math and I don't get along as well as I'd like.

Re: Practice safe browsing

They don't make it easy though.

Disable Java in chrome

Click the little iching symbol on the toolbar - well the three horizontal lines that means 'heaven' or settings

The select settings

Then click the show advanced settings link

Then click the content settings button (hint this is the one that is a heading not a link)

Then scroll down to plug-ins in the popup window

The click the disable individual plugins link (we are back to links now)

Then find Java and click disable

To quote Douglas Adams .... Have you ever thought of going into advertising ?

Re: Practice safe browsing

How about just doing this instead..

1) Type chrome://plugins into url bar,

2) Click on "disable" beside the java plugin

Re: can't really be blamed for security vulnerabilities in third-party software

So long as it remains third party software that is completely under control of the users, yes. Make it part of the OS and not something the user can fix and that changes to a big fat NO.

Re: Wouldn't have happened with Windows 8

Windows 8 employs a sophisticated AEFU layer (Anti-Ellison-F**K-Up - sorry Larry it's under your watch now) which sniffs out JVM holes and blocks them by injecting incredibly elegant java classes which intercept miscreants and route the badness into the ether via JNI. *Only* the geniuses at Microsoft can write code like that.

Re: Wouldn't have happened with Windows 8

He means Windows 8 can't run Java. Or, rather, Internet Explorer 10 in Windows Store mode doesn't run browser plug-ins, except for the Adobe Flash plug-in. Zero-days and all.

Java, Flash, and many other protocols that run in a web browser or handle downloaded files and also have access to the desktop system are potential holes in your computer security colander, I mean cordon. No, I was right with colander. But it's also true of documents for Microsoft Orifice. That's why those tools have to be patched as well. And it's true of WebGPUsr whatever that's called. Giving the Internet access to your graphics hardware is awfully unwise.

If these things need to be done, then they should be done for selected highly trusted web sites only. Or for no web sites. You can run Java and Flash as separate desktop applications with useful results.

Re: The Reality...

Now you need to be careful RainForestGuppy - there's no place for a reasoned, common sense, point on El Reg.

It should be a foaming-at-the-mouth rant against whichever OS/phone/slablet device and/or manufacturer you don't personally support!